Since Scott didn't specifically say it, I will: Yes, DHCP can be exploited
remotely. Network Management Systems are able to keep track of DHCP
servers this way. Directed, or Unicast, UDP traffic should illicit similar
response as the broadcast UDP traffic used by normal DHCP requests.

Scott Gifford <sgifford@suspectclass.com>
>Akop Pogosian <akopps@CSUA.Berkeley.EDU> writes:
>
>
>[...]>
>
>> My question is, is it possible for an attacker who comes from
>> outside of the trusted subnets to which dhcp server connects
>> directly to spoof the IP source address to look like 0.0.0.0 in
>> order to run an exploit on dhcpd? If yes, how can I prevent this?
>
>Block it at your border router, along with other Martian packets.
>
>Blocking the DHCP ports at the router also isn't a half-bad idea.